EU court: Site operators can log visitors’ IP address for protection against attacks

The Court of Justice of the European Union (CJEU) has ruled that the German government can collect and keep IP addresses of visitors to websites operated by German Federal institutions, in order to protect those sites against cyberattacks (e.g. denial-of-service attacks)

log IP addresses

The question of whether they should has been asked by German Pirate Party politician Patrick Breyer, and the Bundesgerichtshof (German Federal Court of Justice) turned to the CJEU for a definitive answer.

“Furthermore, the Bundesgerichtshof asks whether the operator of a website must, at least in principle, have the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website,” the CJEU noted.

The relevant German legislation says that visitors’ personal data must be deleted “at the end of the consultation period unless they are required for billing purposes.”

The CJEU ruled that the dynamic IP addresses assigned to Breyer’s computer cannot be considered personal data of the user and can, therefore, be collected and kept by the site operators.

The reasoning behind the ruling is that “dynamic IP addresses do not enable a link to be established, through files accessible to the public, between a given computer and the physical connection to the network used by the internet service provider,” i.e. that the data stored does not enable Breyer to be directly identified.

“The operators of the websites at issue in the main proceedings can identify Mr Breyer only if the information relating to his identity is communicated to them by his internet service provider. The classification of those data as ‘personal data’ thus depends on whether Mr Breyer is identifiable,” the court concluded.

But even if the user is identifiable by the IP address, the CJEU judged that a site operator can collect and use a visitor’s personal data not only “to the extent that it is necessary to facilitate and invoice the specific use of services by that visitor,” but also “to ensure the general operability of those services.”




Share this